Application No. 10/630,162 

Amendment "I" dated November 2, 2010 

Reply to Non-Final Office Action mailed June 16, 2010 

AMENDMENTS TO THE CLAIMS 

This listing of claims replaces all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1-23. (Cancelled). 

24. (Currently Amended) In a computer system, the computer system including 
system memory, a processor, and a computer-readable medium, a data store and a method store 
being stored on the computer-readable medium, the data store and the method store arranged 
together in a combined item hierarchy on the computer-readable medium, the data store having 
least one data item that depends from a method in the method store and the method store having 
at least one method that depends from data in the data store, the combined item hierarchy being 
divided into one or more no n- overlapping security zones, each of the one or more non- 
overlapping security zones being defined as a grouping of one or more data items and one or 
more method items having common security rules such that principals with rights to items in a 
non-overlapping security zone can treat all the items in the non-overlapping security zone 
uniformly in accordance with common security rules, a method of authenticating principal 
identity and then splitting the one or more non-overlapping security zones into a plurality of non- 
overlapping security zones to facilitate more efficient assignment of rights to principals, 
comprising: 

an act of accessing a first access control list, the first access control list defining 
rights based on common security rules that principals are to have in an existing non- 
overlapping zone from among the one or more non-overlapping zones; 

an act of accessing authentication information that specifies the identity of the 
principals that are to have the rights in the existing non-overlapping zone; 

an act of authenticating the principals by verifying the identity of the principals by 
using the authentication information and by verifying that the principals are to have the 
rights defined in the first access control list; 

an act of identifying a grouping of data items and method items in the combined 
item hierarchy for which new common security rules are to be enforced, the identified 
grouping of data items and method items currently included in the existing non- 
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overlapping zone, existing common security rules being enforced within the existing non- 
overlapping zone, the new common security rules differing from the existing common 
security rules being enforced within the existing non-overlapping zone; 

an act of the processor re-configuring the one or more non-overlapping security 
zones so that rights can be assigned at a granularity that is finer than an entire database 
but yet coarse enough so as to not require assignment for each item, including: 

an act of splitting the existing non-overlapping security zone into a new 
non-overlapping security zone and a remnant of the existing non-overlapping 
security zone, the arrangement of the new non-overlapping security zone relative 
to the remnant of the existing non-overlapping security zone based on the location 
of the identified grouping of data items and method items within the combined 
item hierarchy, the new non-overlapping security zone for containing the 
identified grouping of data items and methods items, the remnant of the existing 
non-overlapping security zone containing at least one data item or method item 
from the existing non-overlapping security zone, wherein said splitting is 
restricted in such a way as to prevent overlapping between security zones and 
such that none of the data items and method items are included in more than one 
security zone; and 

an act of labeling each of the items in the identified grouping of data items 
and method items with a security zone enumeration corresponding to the new 
non-overlapping security-zones zone to represent that the identified grouping of 
data items and method items are contained in the new non-overlapping security 
zone; 

for any principals that had existing rights in the existing non-overlapping security 
zone based on the existing common security rules being enforced in the existing non- 
overlapping security zone at the time the existing non-overlapping zone was split, an act 
of retaining those existing rights in the new non-overlapping security zone, including in 
the identified grouping of data items and methods items, subsequent to splitting the 
existing non-overlapping security zone and subsequent to labeling to represent that the 
identified grouping of data items and methods items are contained in the new non- 
overlapping security zone; and 
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an act of identifying and g ranting one or more other rights in the new non- 
overlapping zone to one or more additional principals in accordance with the new 
common security rules, wherein identifying and granting the one or more rights is 
performed subsequent to the act of splitting the existing non-overlapping security zone 
into the new non-overlapping security zone and the remnant of the existing non- 
overlapping security zone, and wherein granting the one or more rights includes 
assigning the other rights to the new non-overlapping zone collectively granting the other 
rights to each item in the identified grouping of data items and method items through the 
assignment of the other rights to the new non-overlapping security zone, the other rights 
differing from the existing rights. 

25. (Previously Presented) The method of claim 24, wherein specifying the one or 
more additional principals is performed by the one or more main principals. 

26. (Cancelled) 

27. (Previously Presented) The method of claim 24, the rights being security rights. 

28. (Previously Presented) The method of claim 24, the rights being auditing rights. 
29-33. (Cancelled). 
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34. (Currently Amended) A computer program product for use at a computer system, 
the computer program product comprising one or more computer-readable storage media, a data 
store and a method stored being stored on the one or more computer-readable storage media, the 
data store and the method store arranged together in a combined item hierarchy on the computer- 
readable medium, the data store having least one data item that depends from a method in the 
method store and the method store having at least one method that depends from data in the data 
store, the combined item hierarchy being divided into one or more non-overlapping security 
zones, each of the one or more no n- overlapping security zones being defined as a grouping of 
one or more data items and one or more method items having common security rules such that 
principals with administrative rights to items in a non-overlapping security zone can treat all the 
items in the non-overlapping security zone uniformly in accordance with common security rules, 
the computer-readable storage media also storing computer-executable instructions that, when 
executed by a processor, cause the computer system to perform a method of authenticating 
principal identity and then splitting the one or more non-overlapping security zones into a 
plurality of non-overlapping security zones to facilitate more efficient delegation of 
administrative rights to principals, comprising: 

an act of accessing a first access control list, the first access control list defining 
administrative rights based on common security rules that principals are to have in an 
existing no n- overlapping zone from among the one or more non-overlapping zones; 

an act of accessing authentication information that specifies the identity of the 
principals that are to have the administrative rights in the existing non-overlapping zone; 

an act of authenticating the principals by verifying the identity of the principals by 
using the authentication information and by verifying that the principals are to have the 
administrative rights defined in the first access control list; 

an act of identifying a grouping of data items and method items in the combined 
item hierarchy for which new common security rules are to be enforced, the identified 
grouping of data items and method items currently included in the existing non- 
overlapping zone, existing common security rules being enforced within the existing non- 
overlapping zone, the new common security rules differing from the existing common 
security rules being enforced within the existing non-overlapping zone; 

an act of the re-configuring the one or more non-overlapping security zones so 
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that administrative rights can be delegated at a granularity that is finer than an entire 
database but yet coarse enough so as to not require delegation for each item, including: 

an act of splitting the existing non-overlapping security zone into a new 
non-overlapping security zone and a remnant of the existing non-overlapping 
security zone, the arrangement of the new non-overlapping security zone relative 
to the remnant of the existing non-overlapping security zone based on the location 
of the identified grouping of data items and method items within the combined 
item hierarchy, the new non-overlapping security zone for containing the 
identified grouping of data items and methods items, the remnant of the existing 
non-overlapping security zone containing at least one data item or method item 
from the existing non-overlapping security zone, wherein said splitting is 
restricted in such a way as to prevent overlapping between security zones and 
such that none of the data items and method items are included in more than one 
security zone; and 

an act of labeling each of the items in the identified grouping of data 
items and method items with a security zone enumeration corresponding to the 
new no n- overlapping security-ze^e s zone to represent that the identified grouping 
of data items and method items are contained in the new non-overlapping security 
zone; 

for any principals that had existing administrative rights in the existing non- 
overlapping security zone based on the existing common security rules being enforced in 
the existing non-overlapping security zone at the time the existing non-overlapping zone 
was split, an act of retaining those existing administrative rights in the new non- 
overlapping security zone, including in the identified grouping of data items and methods 
items, subsequent to splitting the existing non-overlapping security zone and subsequent 
to labeling to represent that the identified grouping of data items and methods items are 
contained in the new non-overlapping security zone; and 

an act of identifying and g ranting other administrative rights in the new non- 
overlapping zone to one or more additional principals in accordance with the new 
common security rules, wherein identifying and granting the one or more rights is 
performed subsequent to the act of splitting the existing non-overlapping security zone 
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into the new non-overlapping security zone and the remnant of the existing non- 
overlapping security zone, and wherein granting the one or more rights includes 
assigning the other administrative rights to the new non-overlapping zone collectively 
granting the other administrative rights to each item in the identified grouping of data 
items and method items through the granting of the other administrative rights to the new 
non-overlapping security zone, the other administrative rights differing from the existing 
administrative rights. 

35. (Cancelled). 

36. (Previously Presented) The method of claim 24, wherein the existing common 
security rules comprise a second access control list defining the rights a principal has to the items 
in the remnant of the existing no n- overlapping security zone. 

37. (Previously Presented) The method of claim 24, wherein the new common 
security rules comprise a second access control list defining the rights a principal has to the items 
in the new non-overlapping security zone. 

38. (Previously Presented) The computer program product of claim 34, wherein 
specifying the one or more additional principals is performed by the one or more main principals. 

39. (Cancelled) 

40. (Previously Presented) The computer program product of claim 34, the 
administrative rights being security rights. 

41. (Previously Presented) The computer program product of claim 34, the 
administrative rights being auditing rights. 
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42. (Previously Presented) The computer program product of claim 34, wherein the 
existing common security rules comprise a second access control list defining the rights a 
principal has to the items in the remnant of the existing non-overlapping security zone. 

43. (Previously Presented) The computer program product of claim 34, wherein the 
new common security rules comprise a second access control list defining the rights a principal 
has to the items in the new non-overlapping security zone. 

44. (Previously Presented) The method as recited in claim 24, wherein an act 
of granting other rights in the new non-overlapping security zone to one or more additional 
principals in accordance with the new common security rules comprises an act of granting a set 
of rights in the non-overlapping security zone to the one or more additional principals so as to 
collectively grant the set of rights to the one or more additional principals for each item in the 
identified grouping of data items and method items through the granting of the set of rights in the 
new non-overlapping security zone, the set of rights including one or more rights selected from 
among: read, write, delete, and execute. 

45. (Previously Presented) The computer program product as recited in claim 
34, wherein an act of granting other rights in the new non-overlapping security zone to one or 
more additional principals in accordance with the new common security rules comprises an act 
of granting a set of rights in the non-overlapping security zone to the one or more additional 
principals so as to collectively grant the set of rights to the one or more additional principals for 
each item in the identified grouping of data items and method items through the granting of the 
set of rights in the new non-overlapping security zone, the set of rights including one or more 
rights selected from among: read, write, delete, and execute. 
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46. (New) In a computer system, the computer system including a processor and one 
or more computer-readable media, the one or more computer-readable media including a data 
and method store, a method of splitting a security zone into non-overlapping security zone to 
facilitate more efficient assignment of rights to principals, comprising using the processor to: 

access a first access control list, the first access control list defining rights based 
on security rules that principals are to have in an existing, first non-overlapping zone 
from among one or more non-overlapping zones in a hierarchy of data and/or method 
items; 

split the first no n- overlapping zone into a new non-overlapping security zone and 
a remnant non-overlapping security zone, wherein splitting the first non-overlapping zone 
includes: 

associating the first access control list with the remnant non-overlapping 
security zone such that the remnant non-overlapping security zone maintains the 
rights defined based on the security rules that the principals are to have in the first 
non-overlapping zone; and 

creating the new non-overlapping security zone without any security rules 
associated therewith, such that none of the security rules of the first non- 
overlapping zone are automatically associated with the new non-overlapping 
zone; and 

after splitting the first non-overlapping zone, identifying and granting one or more 
other rights to be granted in the new non-overlapping zone to one or more principals in 
accordance with new security rules, and collectively applying the granted one or more 
other rights to all items in the new non-overlapping security zone. 

47. (New) The method recited in claim 46, wherein collectively applying the granted 
one or more other rights to all items in the new non-overlapping security zone includes applying 
the one or more other rights only to the items in the new non-overlapping security zone such that 
all other non-overlapping security zones maintain their existing rights and are isolated from the 
changes to the new non-overlapping zone.. 
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